Skip to content
CI Pipeline

Fix ci #26

Sign in to view logs

Fix ci

Fix ci #26

Workflow file for this run

.github/workflows/ci.yml at 1742b6d
name: CI Pipeline
on:
push:
branches: ["*"]
pull_request:
branches: ["*"]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: "1.23"
- name: Cache Go modules
uses: actions/cache@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Install dependencies
run: go mod download
- name: Run unit tests
run: go test -v -race -coverprofile=coverage.out ./...
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
file: ./coverage.out
flags: unittests
name: codecov-umbrella
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: "1.23"
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v3
with:
version: latest
args: --timeout=5m
# Security vulnerability scanning
security-scan:
runs-on: ubuntu-latest
name: Security Vulnerability Scan
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: "1.23"
- name: Cache Go modules
uses: actions/cache@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Install dependencies
run: go mod download
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck and fail if vulnerabilities are found
run: |
govulncheck -json ./... > vuln.json
count=$(jq '[.Vuln[]] | length' vuln.json || echo 0)
echo "Found $count vulnerabilities"
if [ "$count" -gt 0 ]; then
echo "❌ Vulnerabilities found by govulncheck"
cat vuln.json
exit 1
fi
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run gosec security scanner
run: |
gosec -fmt sarif -out gosec-results.sarif ./...
continue-on-error: true
- name: Upload gosec results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: gosec-results.sarif
category: gosec
# CodeQL Analysis
codeql-analysis:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["go"]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: "1.23"
- name: Cache Go modules
uses: actions/cache@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Install dependencies
run: go mod download
- name: Build for CodeQL
run: |
go build -v ./cmd/mpcium
go build -v ./cmd/mpcium-cli
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
# SBOM Generation
sbom:
runs-on: ubuntu-latest
name: Generate SBOM
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: "1.23"
- name: Cache Go modules
uses: actions/cache@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Install dependencies
run: go mod download
- name: Build binaries
run: |
go build -o mpcium ./cmd/mpcium
go build -o mpcium-cli ./cmd/mpcium-cli
- name: Generate SBOM with anchore/sbom-action (SPDX-JSON)
uses: anchore/sbom-action@v0
with:
artifact-name: sbom-spdx.json
output-file: sbom.spdx.json
format: spdx-json
- name: Generate SBOM with anchore/sbom-action (CycloneDX)
uses: anchore/sbom-action@v0
with:
artifact-name: sbom-cyclonedx.json
output-file: sbom.cyclonedx.json
format: cyclonedx-json
upload-artifact: false
- name: Generate SBOM with anchore/sbom-action (Syft JSON)
uses: anchore/sbom-action@v0
with:
artifact-name: sbom-syft.json
output-file: sbom.syft.json
format: syft-json
upload-artifact: false
- name: Upload all SBOM artifacts
uses: actions/upload-artifact@v4
with:
name: sbom-files
path: |
sbom.spdx.json
sbom.cyclonedx.json
sbom.syft.json
retention-days: 30
- name: Scan SBOM with Grype
run: |
grype sbom.spdx.json -o sarif --file grype-results.sarif
continue-on-error: true
- name: Upload Grype results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: grype-results.sarif
category: grype
- name: Display SBOM summary
run: |
echo "📦 SBOM Generation Summary"
echo "========================="
echo "Generated SBOM files:"
ls -la sbom.*
echo ""
echo "SBOM package count:"
echo "SPDX: $(jq '.packages | length' sbom.spdx.json)"
echo "CycloneDX: $(jq '.components | length' sbom.cyclonedx.json)"
echo "Syft: $(jq '.artifacts | length' sbom.syft.json)"
build:
runs-on: ubuntu-latest
needs: [test, lint, security-scan, codeql-analysis, sbom]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: "1.23"
- name: Cache Go modules
uses: actions/cache@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Build mpcium
run: go build -v ./cmd/mpcium
- name: Build mpcium-cli
run: go build -v ./cmd/mpcium-cli